NDPC Strengthens Data Privacy Framework for Telecoms, Hospitality Sectors

The Nigeria Data Protection Commission (NDPC) has begun moves to tighten data protection requirements for the telecommunications and hospitality industries as part of efforts to build stronger, sector-specific privacy safeguards across the country.

The initiative is aimed at developing tailored regulatory frameworks for sectors that process large volumes of personal and sensitive data, rather than relying on a broad, one-size-fits-all compliance model.

The proposal was presented during a stakeholder engagement held in Abuja, where regulators, industry operators and experts met to review emerging privacy frameworks covering telecommunications, financial services and hospitality operations.

At the meeting, the National Commissioner and Chief Executive Officer of the NDPC, Dr Vincent Olatunji, said the Commission is deliberately adopting a collaborative approach to rule-making to ensure that regulations are practical and reflective of industry realities.

According to him, stakeholders are engaged from the early stages of drafting so that the final rules are shaped by input from those who operate within the sectors.

He explained that although the Commission has the statutory authority to issue regulations independently, it prefers what he described as a “co-creation model” that allows for wider participation before finalisation.

Olatunji added that this approach, which was also applied during the development of Nigeria’s data protection law, had contributed to its credibility and international recognition.

He further noted that the NDPC is now shifting from general guidelines to more targeted frameworks, arguing that different industries face distinct risks and therefore require different compliance structures.

He pointed out that the hospitality sector now handles extensive personal data ranging from booking details and payment records to CCTV footage and guest identity information, often involving third-party digital systems.

On the telecommunications sector, he stressed its central role in the country’s digital ecosystem, noting that almost every major service today is linked through mobile networks.

“Almost everything today runs on the phone,” he said, highlighting the sector’s influence on banking, transport, healthcare and other essential services.

Olatunji also maintained that the Commission continues to operate independently in enforcement matters, describing it as one of the more respected data protection authorities globally due to its regulatory stance.

One of the resource persons, Rex Abitogun of Management Edge, supported the move towards sector-specific guidelines, warning that a uniform regulatory framework would not adequately address the varying risks across industries.

He explained that telecommunications infrastructure underpins a wide range of services, including banking, healthcare and hospitality, making it a critical point in the data value chain.

Abitogun also stressed that early engagement with operators reduces resistance and improves compliance outcomes, as industry players are more likely to implement rules they helped design.

“There will be no resistance if you are not dumping it on operators. When they are part of the process, they own it and are more likely to implement it,” he said.

He further noted that hospitality operators routinely manage sensitive personal information such as identity documents, payment details, Wi-Fi logs and surveillance data, all of which require strict protection.

Another expert, Abdul-Hakeem Ajijola, raised concerns over increasing dependence on foreign digital platforms and cross-border data flows, warning that such reliance could weaken local control over data.

He observed that many digital services rely heavily on external infrastructure, creating challenges around data sovereignty and value retention within the country.

Ajijola also cautioned that everyday digital activities, particularly on global platforms driven by artificial intelligence, involve extensive data capture that many users are often unaware of.

Earlier in the session, Head of Legal, Enforcement and Regulations at the NDPC, Babatunde Bamigboye, said the engagement forms part of broader efforts to deepen privacy rights enforcement and improve compliance under Nigeria’s legal framework.

He disclosed that the Commission has conducted extensive audits and assessments involving thousands of data controllers and processors across different sectors.

According to him, the ongoing work is focused on identifying sector-specific challenges and building frameworks around lawful processing, accountability, data minimisation and stronger security controls.

Bamigboye added that the Commission’s long-term objective is to shift organisations from procedural or “paper-based” compliance to a culture where data protection is fully embedded in operations.

The engagement also had participation from the Nigerian Communications Commission (NCC) and stakeholders across the telecoms, financial and hospitality sectors, with outcomes expected to guide the final sectoral data protection frameworks.